SFLC legal assistance for fingerprint projects

Now that NIST have finally made public information provided to me in private about their export control concerns, I wrote up a summary of the situation and approached SFLC about getting legal advice.

Shortly after, I am contacted by James Vasile, a member of their counsel. James has experience in this area and I anticipate some answers within the next few weeks. The process so far has been very simple and efficient, let’s hope the news is good news!

14 Responses to “SFLC legal assistance for fingerprint projects”

Excellent news, Daniel ! Don’t forget, as soon as you get this legal mumbo jumbo sorted out, you have ppl willing to test the hell out of your code ! :) Once the detection works, we sure start thinking about a pam plugin. Maybe use the one provided by BioAPI ?

But well, I guess it’s only German that sticks with the law stuff so strictly… for open source softs i guess we Canadians don’t care about any kind of law stuff… but just do it. Our theory is that, ‘You are guilty only when you are caught.’ The law issue for this case is the exporting stuff instead of security reasons, without any profit, I guess no one wold care about it. :p if you release things onto emule then even no one would find out. ~Go Daniel~ lol

Hehe, right on there William. Being a fellow Canadian, I agree ! I was thinking, maybe, Daniel, you could release your code and anyone who wants to use it would have to order the CD ? That could work temporarily, no ?

It’s hard to release standalone code which requires the NBIS CDROM because the code on there does not compile on any modern system, and this would also require extra work on the dpfp side — NBIS isn’t very well designed as a form of library.

The export control regulations seem to be focused around ensuring sensitive code is not distributed to terrorist-supportive regions. It doesn’t make a difference whether you are profiting or not.

Dsd,
One way that you could provide such a system is to have people get the NBIS CD from NIST and have a patch for it that would integrate it with your current source code. This would leave the legal issues up to the NIST so you don’t have to deal with them.
Scott.

I have begun creating a daemon for this utility which can run in the background and wait for interactions from the user. I am going to use the DBUS messaging system to allow other applications to dynamically call the device and set the state and scanning modes.

The reason I am pursuing this is because I have already modified the pam_bioapi source to include MySQL and OpenLDAP support but lack the funding for a Digital Persona U.are.U 4000 USB Biometric Sensor URU4S and have opted for something more cost efficient with the MS Fingerprint reader.

Since the current pam_bioapi does not currently interface with the libdpfp I feel this is the way to go, however I have also thought that the additional support should be added to the bioapi framework vs. creating an independent daemon to access the libdpfp interface.

Oh yeah, I also forgot to add that I have successfully began creating a pam module that utilizes your current libdpfp framework. It is simple at best but it does initialize the device for reading. The limitations of this is that the device is not available until after the enter key or login button are initiated.

As I have stated earlier I believe the best method of utilizing this device for authentication purposes (1 of many I suppose), is to have a service running which can accept commands for the device and still believe modification of the bioapi framework would be a more “standardized” proposal vs. a stand alone daemon running the background utilizing d-bus messages.

I have put the project here [http://pam-libdbfp.sourceforge.net/] if anyone wants to see some of the code I am currently using. If anyone has contacts with the developers of the BioAPI linux framework perhaps we can rally them to add support for the device to make it more standardized?

Yes, working on it as a university project, currently in early stages. Expect some code released before the end of the year. This will be an open source project once I have implemented the fundamentals myself.